When checking for updates, the FLEXnet Connect client (and it's previous versions named InstallShield Update Service) can download and execute scripts from the update server. The problem is that these scripts are downloaded via HTTP, so the identity of the server isn't verified and the scripts are not encrypted. Therefore an attacker could cause the client to execute malicious scripts, for instance by redirecting the connection using a proxy or a DNS attack. There's no fix available but the following article from the US-CERT (United States Computer Emergency Readiness Team) lists some possible workarounds:
Vulnerability Note VU#837092: InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and executes scripts
This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Security Vulnerability in FLEXnet Connect
No replies to this topic